From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 4 Oct 2024 15:06:38 +0000 (+0200)
Subject: Documenting CRL download usage and restrictions
X-Git-Tag: openssl-3.5.0-alpha1~1033
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e647220c00bb1da0518f8a31ed07b2a0977a3c9e;p=thirdparty%2Fopenssl.git

Documenting CRL download usage and restrictions

Fixes #25603

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25608)
---

diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 2a4f548d072..75934e714b3 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -279,7 +279,9 @@ See L<openssl-format-options(1)> for details.
 
 =item B<-crl_download>
 
-Download CRL from distribution points in the certificate.
+Download CRL from distribution points in the certificate. Note that this option
+is ignored if B<-crl_check> option is not provided. Note that the maximum size
+of CRL is limited by L<X509_CRL_load_http(3)> function.
 
 =item B<-key> I<filename>|I<uri>
 
diff --git a/doc/man3/X509_load_http.pod b/doc/man3/X509_load_http.pod
index a147c43caa3..e17330b0558 100644
--- a/doc/man3/X509_load_http.pod
+++ b/doc/man3/X509_load_http.pod
@@ -27,6 +27,9 @@ see L<openssl_user_macros(7)>:
 X509_load_http() and X509_CRL_load_http() loads a certificate or a CRL,
 respectively, in ASN.1 format using HTTP from the given B<url>.
 
+Maximum size of the HTTP response is 100 kB for certificates and 32 MB for CRLs
+and hard coded in the functions.
+
 If B<bio> is given and B<rbio> is NULL then this BIO is used instead of an
 internal one for connecting, writing the request, and reading the response.
 If both B<bio> and B<rbio> are given (which may be memory BIOs, for instance)